Skip to content

Release: staging -> main (2026-04-21 08:15)#547

Merged
is0692vs merged 154 commits into
mainfrom
staging
Apr 21, 2026
Merged

Release: staging -> main (2026-04-21 08:15)#547
is0692vs merged 154 commits into
mainfrom
staging

Conversation

@github-actions

@github-actions github-actions Bot commented Apr 20, 2026

Copy link
Copy Markdown

Summary

Promotes staging into main.

  • Source branch: staging
  • Target branch: main
  • Generated by npm run pr:promote

Included PRs

Compare

google-labs-jules Bot and others added 30 commits April 18, 2026 02:54
- Added a new E2E scenario for user profile page to ensure it displays correctly, including the RSS feed button and the '+ 新規作成' link for the user's own profile.
- Fixed a bug where tests requiring test-org setup failed due to an undefined `TEST_AUTH_SECRET`.
- Added `JWT_SECRET` to the local `playwright.config.ts` webServer command so the API backend can properly authenticate requests in local tests.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
- Added a new E2E scenario for user profile page to ensure it displays correctly, including the RSS feed button and the '+ 新規作成' link for the user's own profile.
- Fixed a bug where tests requiring test-org setup failed due to an undefined `TEST_AUTH_SECRET`.
- Added `JWT_SECRET` to the local `playwright.config.ts` webServer command so the API backend can properly authenticate requests in local tests.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Replaced the hardcoded string "DUMMY_SECRET_FOR_TIMING_EQUAL" in the CSRF middleware fallback with `crypto.randomUUID()`. This eliminates the risk of an attacker predicting the expected secret and potentially bypassing CSRF protection if the `TEST_AUTH_SECRET` environment variable is ever accidentally omitted.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
…gin.ts

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
This adds `revokeUrlsIdle` to asynchronously revoke Object URLs in chunks via `requestIdleCallback`. Before this change, synchronously revoking many ObjectURLs caused a noticeable UI freeze during unmounts or aborted loads.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
💡 **What:** Added an early return if (rows.length === 0) to latestTimestamp to avoid parsing the fallback date when there are no rows to compare against.
🎯 **Why:** The fallback date string was being converted to ISO and parsed to a Date object in every loop iteration (or even when there are no iterations), causing an N+1 Date parsing issue and unnecessary overhead for empty arrays.
📊 **Measured Improvement:** In a local benchmark script, executing latestTimestamp on an empty array 10,000 times took ~42.5ms originally, and only ~0.6ms with the early return optimization.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
This adds `revokeUrlsIdle` to asynchronously revoke Object URLs in chunks via `requestIdleCallback`. Before this change, synchronously revoking many ObjectURLs caused a noticeable UI freeze during unmounts or aborted loads.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
This adds `revokeUrlsIdle` to asynchronously revoke Object URLs in chunks via `requestIdleCallback`. Before this change, synchronously revoking many ObjectURLs caused a noticeable UI freeze during unmounts or aborted loads.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Refactor the nested if statement in the error handler of
deleteKeysInBatches to use an early return pattern. This improves
code readability and maintainability.

The specific WritableStream snippet in the issue was not found, but
the logic at the provided file and line number was correctly
identified and refactored.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Sanitize error objects before logging in `apps/api/src/routes/papers.ts` to prevent leaking sensitive information to observability platforms.
Error objects are now converted to their messages or string representations before being passed to `console.error`.
Added test cases in `apps/api/src/routes/__tests__/papers.test.ts` to verify the sanitization.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Adds comprehensive unit tests for the `matchesOriginPattern` utility function in `apps/api/src/utils/origin.ts`.
The tests cover:
- Global wildcard matches
- Exact matches without wildcards
- Single and multiple subdomain wildcards
- Handling of multiple wildcards in a single pattern
- Correct escaping of special regex characters in patterns

Manual verification was performed using Node.js as the environment had restricted access to `vitest`.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
This adds `revokeUrlsIdle` to asynchronously revoke Object URLs in chunks via `requestIdleCallback`. Before this change, synchronously revoking many ObjectURLs caused a noticeable UI freeze during unmounts or aborted loads.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Refactored nested conditional error handling into a guard clause
to improve readability. Added a new unit test to verify error
propagation during R2 deletion failure, ensuring 100% patch coverage
for the refactored branch.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
- Sanitize error objects before logging in `apps/api/src/routes/papers.ts` and CSRF middleware in `apps/api/src/index.ts`.
- Ensure only error messages or string representations are logged to prevent leaking internal metadata.
- Added and updated unit tests in `apps/api/src/routes/__tests__/papers.test.ts` and `apps/api/src/routes/__tests__/csrf.test.ts` to verify the fix and improve coverage of error-handling paths.
- Cleaned up temporary files.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
- Refactor `matchesOriginPattern` to use a two-step escaping process that explicitly escapes all regex special characters (including dots and wildcards) before converting wildcards to the segment regex `[a-zA-Z0-9-]+`. This addresses CodeQL "unescaped dot" alerts.
- Update tests to use global regex replacement (`.replace(/%/g, "*")`) instead of string replacement to address the CodeQL "replaces only first occurrence" alert.
- Verified functional equivalence with manual Node.js test script.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
- Introduce local Map caches to memoize `parseStoredTags` results and
  `toLowerCase` transformations within the `GET /api/orgs/:slug/tags` route.
- Add a new test case in `orgs.test.ts` to verify caching and filtering
  logic, ensuring 70%+ patch coverage.

Benchmark results (1000 iterations over 1000 papers):
- Original: 1.066s
- Optimized: 215.323ms (~80% improvement)

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Refactored nested conditional error handling into a guard clause for
better readability. Added a unit test to cover the early-throw branch
in deleteKeysInBatches, ensuring 100% coverage for the refactor and
satisfying Codecov patch requirements. Cleaned up unnecessary whitespace.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
@github-actions github-actions Bot changed the title Release: staging -> main (2026-04-21 07:35) Release: staging -> main (2026-04-21 07:36) Apr 21, 2026
…flare/workers-types-4.20260420.1

chore(deps-dev): bump @cloudflare/workers-types from 4.20260414.1 to 4.20260420.1
@github-actions github-actions Bot changed the title Release: staging -> main (2026-04-21 07:36) Release: staging -> main (2026-04-21 07:37) Apr 21, 2026
…indcss-4.2.3

chore(deps-dev): bump tailwindcss from 4.2.2 to 4.2.3
…t-config-next-16.2.4

chore(deps-dev): bump eslint-config-next from 16.2.3 to 16.2.4
@github-actions github-actions Bot changed the title Release: staging -> main (2026-04-21 07:37) Release: staging -> main (2026-04-21 07:38) Apr 21, 2026
is0692vs and others added 10 commits April 21, 2026 16:41
# Conflicts:
#	package-lock.json
#	package.json
# Conflicts:
#	apps/api/package.json
#	apps/web/package.json
#	package-lock.json
# Conflicts:
#	apps/web/package.json
#	package-lock.json
# Conflicts:
#	apps/api/package.json
#	apps/web/package.json
#	package-lock.json
…cript-eslint/eslint-plugin-8.59.0

chore(deps-dev): bump @typescript-eslint/eslint-plugin from 8.56.1 to 8.59.0
@github-actions github-actions Bot changed the title Release: staging -> main (2026-04-21 07:38) Release: staging -> main (2026-04-21 08:03) Apr 21, 2026
…60421

chore: Dependabotの更新をグルーピング
@github-actions github-actions Bot changed the title Release: staging -> main (2026-04-21 08:03) Release: staging -> main (2026-04-21 08:04) Apr 21, 2026
is0692vs and others added 4 commits April 21, 2026 17:05
# Conflicts:
#	package-lock.json
#	package.json
# Conflicts:
#	package-lock.json
#	package.json
…eed/vitest-plugin-5.3.0

chore(deps-dev): bump @codspeed/vitest-plugin from 5.2.0 to 5.3.0
@github-actions github-actions Bot changed the title Release: staging -> main (2026-04-21 08:04) Release: staging -> main (2026-04-21 08:09) Apr 21, 2026
…cript-6.0.3

chore(deps-dev): bump typescript from 5.9.3 to 6.0.3
@github-actions github-actions Bot changed the title Release: staging -> main (2026-04-21 08:09) Release: staging -> main (2026-04-21 08:10) Apr 21, 2026
is0692vs and others added 2 commits April 21, 2026 17:12
# Conflicts:
#	package-lock.json
#	package.json
…t-10.2.1

chore(deps-dev): bump eslint from 9.39.3 to 10.2.1
@github-actions github-actions Bot changed the title Release: staging -> main (2026-04-21 08:10) Release: staging -> main (2026-04-21 08:15) Apr 21, 2026
@is0692vs
is0692vs merged commit 85c00e1 into main Apr 21, 2026
34 of 35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Automated main-to-staging sync PR javascript Pull requests that update javascript code release Release promotion PR size/XXL

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants